---
# file: roles/common/tasks/common.yml
- name: Ensure directories
file:
path: '{{ item }}'
state: directory
with_items:
- /etc/ansible/facts.d
- name: Sudoers Policy
template:
src: etc_sudoers_d_policy
dest: /etc/sudoers.d/policy
owner: root
group: root
mode: 0440
# Regarding resolve service, see https://www.ctrl.blog/entry/resolvconf-tutorial.html
- name: Install resolvconf
apt:
pkg: '{{ packages }}'
state: present
update_cache: yes
vars:
packages:
- resolvconf
- name: Disable systemd.resolved
service:
name: systemd-resolved
state: stopped
enabled: no
- name: Configure resolv.conf
template:
src: etc_resolv_conf
dest: /etc/resolvconf/resolv.conf.d/head
owner: root
group: root
mode: 0644
when: nameserver is defined
notify:
- Update resolv config
- name: Configure limits.conf
template:
src: etc_security_limits.conf
dest: /etc/security/limits.d/limits.conf
owner: root
group: root
mode: 0644
- name: Remove default apt.conf
file:
path: /etc/apt/apt.conf
state: absent
- name: Configure APT Proxy
template:
src: etc_apt_apt_conf_d_02proxy
dest: /etc/apt/apt.conf.d/02proxy
owner: root
group: root
mode: 0644
when: apt_proxy
- name: Turn off unattended upgrades
template:
src: etc_apt_apt_conf_d_50unattended_upgrades
dest: /etc/apt/apt.conf.d/50unattended-upgrades
owner: root
group: root
mode: 0644
- name: Prepare the apt source list
template:
src: etc_apt_sources_list
dest: /etc/apt/sources.list
owner: root
group: root
mode: 0644
- name: Prepare the apt source security list
template:
src: etc_apt_security_sources_list
dest: /etc/apt/security.sources.list
owner: root
group: root
mode: 0644
- name: Prepare package manager
command: dpkg --configure -a
register: common_dpkg
changed_when: common_dpkg is defined and common_dpkg.rc != 0
- name: Create The /etc/hostname File
template:
src: etc_hostname
dest: /etc/hostname
owner: root
group: root
mode: 0644
notify:
- Set The Hostname
- name: SSH configuration, turn-off password login
template:
src: etc_ssh_sshd_config.jinja2
dest: /etc/ssh/sshd_config
owner: root
group: root
mode: 0644
tags:
- ssh
notify:
- Restart SSH
- name: Install essential security relevant packages
apt:
pkg: '{{ packages }}'
state: present
update_cache: yes
vars:
packages:
- iptables
- name: Install essential packages
apt:
pkg: '{{ packages }}'
state: present
update_cache: yes
vars:
packages:
- acl
- apt-transport-https
- aptitude
- at
- bmon
- build-essential
- curl
- dstat
- fuse
- gobject-introspection
- haveged
- htop
- iotop
- jq
- libaio1
- libcairo2-dev
- libcurl4-openssl-dev
- libffi-dev
- libgif-dev
- libgirepository1.0-dev
# - libicu-dev
- libjpeg-dev
- libmysqlclient-dev
- libpng-dev
- librsync-dev
- libssl-dev
- lsof
- mc
- nano
- ncdu
- ntpdate
- parallel
- postfix
- postfix-pcre
- python
- python-dev
- python-passlib
- python-pyasn1
- python-setuptools
- python3-dev
- python3-passlib
- python3-setuptools
- rsync
- sntop
- sshfs
- subversion
- unzip
- update-notifier
- zsh
- name: Install essential pip packages
apt:
pkg: '{{ packages }}'
state: present
vars:
packages:
- python3-pip
- software-properties-common
- name: Install tools via deb
apt:
deb: '{{ item }}'
with_items:
- https://github.com/sharkdp/bat/releases/download/v0.6.1/bat_0.6.1_amd64.deb
- https://github.com/sharkdp/fd/releases/download/v7.1.0/fd_7.1.0_amd64.deb
ignore_errors: yes
- name: Install tools via curl
get_url:
url: 'https://raw.githubusercontent.com/denilsonsa/prettyping/master/prettyping'
dest: /usr/local/bin/prettyping
mode: 0755
ignore_errors: yes
- name: Install PIP
become: yes
easy_install:
name: '{{ item }}'
with_items:
- pip
when: ansible_distribution_release != 'bionic'
- name: Generate Locales
locale_gen:
name: '{{ item }}'
with_items:
- en_GB.UTF-8
- en_US.UTF-8
- de_DE.UTF-8
- name: Add Apt Keys
apt_key:
url: '{{ item }}'
state: present
with_items:
# Git Core
- http://keyserver.ubuntu.com/pks/lookup?op=get&search=0xA1715D88E1DF1F24
# Git LFS
- https://packagecloud.io/github/git-lfs/gpgkey
# Ondrej
- http://keyserver.ubuntu.com/pks/lookup?op=get&search=0x4F4EA0AAE5267A6C
# Oracle Java
- http://keyserver.ubuntu.com/pks/lookup?op=get&search=0x7B2C3B0889BF5709A105D03AC2518248EEA14886
# Nextcloud Client
- http://keyserver.ubuntu.com/pks/lookup?op=get&search=0x60EE47FBAD3DD469
- name: Add Apt Repositories
apt_repository:
repo: '{{ item }}'
state: present
mode: 0644
with_items:
- ppa:git-core/ppa
- deb https://packagecloud.io/github/git-lfs/ubuntu/ {{ ansible_distribution_release }} main
- ppa:fish-shell/release-3
- name: Add Apt Repositories before bionic
apt_repository:
repo: '{{ item }}'
state: present
mode: 0644
with_items:
- ppa:lordgaav/duperemove
when: ansible_distribution_release != 'bionic' and ansible_distribution_release != 'focal'
- name: Add Apt Repositories for Ubuntu 14
apt_repository:
repo: '{{ item }}'
state: present
mode: 0644
with_items:
- ppa:mc3man/trusty-media
when: ansible_distribution_major_version == '14'
- name: Install more packages
apt:
pkg: '{{ packages }}'
state: present
update_cache: yes
vars:
packages:
- ffmpeg
- fish
- git
- git-extras
- git-flow
- git-lfs
- mosh
- name: Install more packages before bionic
apt:
pkg: '{{ packages }}'
state: present
update_cache: yes
vars:
packages:
- duperemove
when: ansible_distribution_release != 'bionic'
- name: Remove some packages
apt:
pkg: '{{ packages }}'
state: absent
vars:
packages: []
- name: Ensure Composer Home
file:
path: '{{ composer_home_path }}/vendor/bin'
state: directory
when: composer_home_path is defined
- name: Include userfiles
include_tasks: userfiles.yml
with_flattened:
- ['root']
- '{{ admins }}'
- '{{ jailusers }}'
loop_control:
loop_var: username
when: users[username] is defined
tags:
- userfiles
- name: Include shells
include_tasks: shells.yml
with_flattened:
- ['root']
- '{{ admins }}'
- '{{ jailusers }}'
loop_control:
loop_var: username
tags:
- shells
- name: Config Environment
template:
src: etc_environment
dest: /etc/environment
owner: root
group: root
mode: 0644
tags:
- shells
- name: Config fish shell
template:
src: etc_fish_config_fish
dest: /etc/fish/config.fish
owner: root
group: root
mode: 0755
tags:
- shells
- name: Install Python Components
pip:
name: '{{ packages }}'
state: present
vars:
packages:
- configobj
- httplib2
- pyrfc3339
- python-dotenv
- python-gitlab
- speedtest-cli
- name: Check DHCP Settings for Firewall
fail:
msg: "You are using DHCP in you network settings but you haven't defined ip_v4_dhcp for the firewall"
with_items: '{{ network_interfaces }}'
when: config_firewall and item.dhcp and ip_v4_dhcp is not defined and item.active|default(true)
tags:
- firewall
- network
- name: Create Firewall Script File
template:
src: etc_init_d_firewall.jinja2
dest: /etc/init.d/firewall
owner: root
group: root
mode: 0755
when: config_firewall
notify:
- Restart Firewall
- Include Firewall Boot-List
- Restart Docker
tags:
- firewall
- network
- name: Set timezone
timezone:
name: '{{ timezone|default("Etc/UTC") }}'
- name: Copy Ntpdate Script
copy:
src: etc_cron_daily_ntpdate
dest: /etc/cron.daily/ntpdate
owner: root
group: root
mode: 0755
notify:
- Run Ntpdate
- name: Configure FUSE
template:
src: etc_fuse.conf
dest: /etc/fuse.conf
owner: root
group: root
mode: 0644
- name: Install syslog-ng packages
apt:
pkg: '{{ packages }}'
state: present
update_cache: yes
vars:
packages:
- syslog-ng-core
- syslog-ng
when: config_syslog_ng
- name: Logrotate configuration
template:
src: etc-logrotate-d-syslog-ng
dest: /etc/logrotate.d/syslog-ng
owner: root
group: root
mode: 0644
when: config_syslog_ng
tags:
- logrotate
- name: Copy Custom Syslog-ng Config File
# See http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.3-guides/en/syslog-ng-ose-v3.3-guide-admin-en/html/bk01-toc.html
template:
src: etc_syslog_ng_conf
dest: /etc/syslog-ng/conf.d/00load-custom.conf
owner: root
group: root
mode: 0644
when: no
notify:
- Restart Syslog-ng
- name: Message Of The Day
copy:
src: etc-update-motd-d-95-ansible
dest: /etc/update-motd.d/95-ansible
mode: 0755
- name: Setup Group Crontabs
cron:
name: '{{ item.name }}'
env: '{{ item.env|default(omit) }}'
value: '{{ item.value|default(omit) }}'
user: '{{ item.user|default(omit) }}'
month: '{{ item.month|default(omit) }}'
day: '{{ item.day|default(omit) }}'
weekday: '{{ item.weekday|default(omit) }}'
hour: '{{ item.hour|default(omit) }}'
minute: '{{ item.minute|default(omit) }}'
job: '{{ item.job|default("") }} >>{{ item.redirect|default("/dev/null") }} 2>&1'
disabled: '{{ item.disabled|default(false) }}'
with_items: '{{ cronjobs_group }}'
when: cronjobs_group is defined
tags:
- cron
- name: Setup Host Crontabs
cron:
name: '{{ item.name }}'
env: '{{ item.env|default(omit) }}'
value: '{{ item.value|default(omit) }}'
user: '{{ item.user|default(omit) }}'
month: '{{ item.month|default(omit) }}'
day: '{{ item.day|default(omit) }}'
weekday: '{{ item.weekday|default(omit) }}'
hour: '{{ item.hour|default(omit) }}'
minute: '{{ item.minute|default(omit) }}'
job: '{{ item.job|default("") }} >>{{ item.redirect|default("/dev/null") }} 2>&1'
disabled: '{{ item.disabled|default(false) }}'
with_items: '{{ cronjobs_host }}'
when: cronjobs_host is defined
tags:
- cron
- name: Setup Host Crontabs from local setup
cron:
name: '{{ item.name }}'
env: '{{ item.env|default(omit) }}'
value: '{{ item.value|default(omit) }}'
user: '{{ item.user|default(omit) }}'
month: '{{ item.month|default(omit) }}'
day: '{{ item.day|default(omit) }}'
weekday: '{{ item.weekday|default(omit) }}'
hour: '{{ item.hour|default(omit) }}'
minute: '{{ item.minute|default(omit) }}'
job: '{{ item.job|default("") }} >>{{ item.redirect|default("/dev/null") }} 2>&1'
disabled: '{{ item.disabled|default(false) }}'
with_items: '{{ ansible_local.crontabs|default([]) }}'
tags:
- cron
- name: Import tunnel
import_tasks: tunnel.yml
when: ssh_tunnel is defined
tags:
- tunnel
- name: Configure Network Interfaces
template:
src: etc_network_interfaces.jinja2
dest: /etc/network/interfaces
owner: root
group: root
mode: 0644
when: config_interfaces
notify:
- Restart Network
tags:
- network
- name: Create directories for Python libs
file:
dest: '{{ item }}'
state: directory
owner: root
group: root
mode: 0755
with_items:
- /usr/local/lib/python2.7/dist-packages
- /usr/local/lib/python2.7/dist-packages/youtrack
- name: Copy Python libs
copy:
src: '{{ item }}'
dest: /usr/local/lib/python2.7/dist-packages/{{ item }}
owner: root
group: root
mode: 0644
with_items:
- urllib2_file.py
- youtrack/__init__.py
- youtrack/connection.py
- youtrack/importHelper.py
# rmate, see https://atom.io/packages/remote-atom
# source at https://github.com/aurora/rmate
- name: Install rmate script
copy:
src: rmate
dest: /usr/local/bin/rmate
owner: root
group: root
mode: 0755
- name: Install ps_mem script
copy:
src: ps_mem.py
dest: /usr/local/bin/ps_mem.py
owner: root
group: root
mode: 0755
- name: Set FS notify limit
copy:
src: etc_sysctl_d_30-fs-notify.conf
dest: /etc/sysctl.d/fs-notify.conf
owner: root
group: root
mode: 0644
- name: Configure Git system wide
template:
src: etc_gitconfig
dest: /etc/gitconfig
owner: root
group: root
mode: 0644
- name: Configure Git Ignore system wide
template:
src: etc_gitignore_global
dest: /etc/gitignore_global
owner: root
group: root
mode: 0644
- name: Set email alias for root
lineinfile:
dest: /etc/aliases
regexp: '^root:'
line: 'root:{{ system_mail }}'
when: system_mail is defined
notify:
- New Aliases
- name: Download Ahoy
get_url:
url: 'https://github.com/ahoy-cli/ahoy/releases/download/2.0.0/ahoy-bin-{{ ansible_system }}-amd64'
dest: /usr/local/bin/ahoy
mode: 0755
- name: Import postfix
import_tasks: postfix.yml
tags:
- postfix
- name: Make rrsync available
shell: gunzip /usr/share/doc/rsync/scripts/rrsync.gz -c > /usr/local/bin/rrsync && chmod +x /usr/local/bin/rrsync
args:
creates: /usr/local/bin/rrsync
when: ansible_distribution_release != 'focal'
# TODO: use the more elegant version once uncompress is available in Ansible
# unarchive:
# src: /usr/share/doc/rsync/scripts/rrsync.gz
# dest: /usr/local/bin
# remote_src: yes
# mode: 0775
- name: Import etckeeper
import_tasks: etckeeper.yml
tags:
- etckeeper
- name: Import needrestart
import_tasks: needrestart.yml
when: ansible_distribution_major_version == '16' or ansible_distribution_major_version == '18' or ansible_distribution_major_version == '20'
tags:
- needrestart